Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

In Specs we Trust? Conformance-Analysis of Implementation to Specifications in Node-RED and Associated Security Risks

Simon Schneider, Komal Kashish, Katja Tuma, Riccardo Scandariato

TL;DR

The paper investigates hidden information flows in Node-RED by performing a conformance analysis that compares node specifications against endpoints detected via CodeQL taint analysis. It crawls the Node-RED library, identifies endpoints, builds and validates a CodeQL query, and assesses a risk subset to categorize flows by severity. The study finds that about 55% of node packages exhibit divergences with additional endpoints not captured by specifications, and a substantial portion of flows pose high or medium security risk, especially when handling sensitive data. The results underscore the need for improved security vetting of contributed nodes, better specification practices, and potential framework-level restrictions to mitigate information leaks in open-source IoT ecosystems.

Abstract

Low-code development frameworks for IoT platforms offer a simple drag-and-drop mechanism to create applications for the billions of existing IoT devices without the need for extensive programming knowledge. The security of such software is crucial given the close integration of IoT devices in many highly sensitive areas such as healthcare or home automation. Node-RED is such a framework, where applications are built from nodes that are contributed by open-source developers. Its reliance on unvetted open-source contributions and lack of security checks raises the concern that the applications could be vulnerable to attacks, thereby imposing a security risk to end users. The low-code approach suggests, that many users could lack the technical knowledge to mitigate, understand, or even realize such security concerns. This paper focuses on "hidden" information flows in Node-RED nodes, meaning flows that are not captured by the specifications. They could (unknowingly or with malicious intent) cause leaks of sensitive information to unauthorized entities. We report the results of a conformance analysis of all nodes in the Node-RED framework, for which we compared the numbers of specified inputs and outputs of each node against the number of sources and sinks detected with CodeQL. The results show, that 55% of all nodes exhibit more possible flows than are specified. A risk assessment of a subset of the nodes showed, that 28% of them are associated with a high severity and 36% with a medium severity rating.

In Specs we Trust? Conformance-Analysis of Implementation to Specifications in Node-RED and Associated Security Risks

TL;DR

The paper investigates hidden information flows in Node-RED by performing a conformance analysis that compares node specifications against endpoints detected via CodeQL taint analysis. It crawls the Node-RED library, identifies endpoints, builds and validates a CodeQL query, and assesses a risk subset to categorize flows by severity. The study finds that about 55% of node packages exhibit divergences with additional endpoints not captured by specifications, and a substantial portion of flows pose high or medium security risk, especially when handling sensitive data. The results underscore the need for improved security vetting of contributed nodes, better specification practices, and potential framework-level restrictions to mitigate information leaks in open-source IoT ecosystems.

Abstract

Low-code development frameworks for IoT platforms offer a simple drag-and-drop mechanism to create applications for the billions of existing IoT devices without the need for extensive programming knowledge. The security of such software is crucial given the close integration of IoT devices in many highly sensitive areas such as healthcare or home automation. Node-RED is such a framework, where applications are built from nodes that are contributed by open-source developers. Its reliance on unvetted open-source contributions and lack of security checks raises the concern that the applications could be vulnerable to attacks, thereby imposing a security risk to end users. The low-code approach suggests, that many users could lack the technical knowledge to mitigate, understand, or even realize such security concerns. This paper focuses on "hidden" information flows in Node-RED nodes, meaning flows that are not captured by the specifications. They could (unknowingly or with malicious intent) cause leaks of sensitive information to unauthorized entities. We report the results of a conformance analysis of all nodes in the Node-RED framework, for which we compared the numbers of specified inputs and outputs of each node against the number of sources and sinks detected with CodeQL. The results show, that 55% of all nodes exhibit more possible flows than are specified. A risk assessment of a subset of the nodes showed, that 28% of them are associated with a high severity and 36% with a medium severity rating.

Paper Structure

This paper contains 26 sections, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Node-RED
  4. CodeQL
  5. Conformance Analysis
  6. Methodology
  7. Crawling of the Node-RED library (step 1)
  8. Identification of nodes' endpoints (step 2)
  9. Conformance analysis (step 4)
  10. Evaluation of CodeQL's correctness (step 3)
  11. Risk assessment (step 5)
  12. Threats to validity
  13. Internal
  14. External
  15. Construct
  16. ...and 11 more sections

Figures (6)

  • Figure 1: Methodology of the conducted study.
  • Figure 2: Distribution of nodes per node package. Not showing the ten highest outliers because they skew the graph.
  • Figure 3: Distribution of the size of nodes (in LOC). Not showing the 100th percentile (51 samples) because it skews the graph.
  • Figure 4: Saturation of manually detected sources and sinks in the analyzed node packages. 100% $\hat{=}$ 127 endpoints.
  • Figure 5: Results of non-conformance analysis, generalized into the three standard cases; n = 4798.
  • ...and 1 more figures